 |
netfilter
firewalling, NAT, and packet mangling for linux
|
|
|
netfilter
firewalling, NAT, and packet mangling for linux
|
|
#include <stdbool.h>#include <libnftnl/rule.h>#include <libnftnl/expr.h>#include <linux/netfilter_arp/arp_tables.h>#include "xshared.h"
Data Structures | |
| struct | nft_xt_ctx |
| struct | nft_family_ops |
| struct | addr_mask |
| struct | xtables_args |
Macros | |
| #define | DEBUGP(x, args...) |
| #define | FMT_NUMERIC 0x0001 |
| #define | FMT_NOCOUNTS 0x0002 |
| #define | FMT_KILOMEGAGIGA 0x0004 |
| #define | FMT_OPTIONS 0x0008 |
| #define | FMT_NOTABLE 0x0010 |
| #define | FMT_NOTARGET 0x0020 |
| #define | FMT_VIA 0x0040 |
| #define | FMT_NONEWLINE 0x0080 |
| #define | FMT_LINENUMBERS 0x0100 |
| #define | FMT_PRINT_RULE |
| #define | FMT(tab, notab) ((format) & FMT_NOTABLE ? (notab) : (tab)) |
| #define | CMD_NONE 0x0000U |
| #define | CMD_INSERT 0x0001U |
| #define | CMD_DELETE 0x0002U |
| #define | CMD_DELETE_NUM 0x0004U |
| #define | CMD_REPLACE 0x0008U |
| #define | CMD_APPEND 0x0010U |
| #define | CMD_LIST 0x0020U |
| #define | CMD_FLUSH 0x0040U |
| #define | CMD_ZERO 0x0080U |
| #define | CMD_NEW_CHAIN 0x0100U |
| #define | CMD_DELETE_CHAIN 0x0200U |
| #define | CMD_SET_POLICY 0x0400U |
| #define | CMD_RENAME_CHAIN 0x0800U |
| #define | CMD_LIST_RULES 0x1000U |
| #define | CMD_ZERO_NUM 0x2000U |
| #define | CMD_CHECK 0x4000U |
Enumerations | |
| enum | { NFT_XT_CTX_PAYLOAD = (1 << 0), NFT_XT_CTX_META = (1 << 1), NFT_XT_CTX_BITWISE = (1 << 2) } |
Functions | |
| void | add_meta (struct nft_rule *r, uint32_t key) |
| void | add_payload (struct nft_rule *r, int offset, int len) |
| void | add_bitwise_u16 (struct nft_rule *r, int mask, int xor) |
| void | add_cmp_ptr (struct nft_rule *r, uint32_t op, void *data, size_t len) |
| void | add_cmp_u8 (struct nft_rule *r, uint8_t val, uint32_t op) |
| void | add_cmp_u16 (struct nft_rule *r, uint16_t val, uint32_t op) |
| void | add_cmp_u32 (struct nft_rule *r, uint32_t val, uint32_t op) |
| void | add_iniface (struct nft_rule *r, char *iface, uint32_t op) |
| void | add_outiface (struct nft_rule *r, char *iface, uint32_t op) |
| void | add_addr (struct nft_rule *r, int offset, void *data, void *mask, size_t len, uint32_t op) |
| void | add_proto (struct nft_rule *r, int offset, size_t len, uint8_t proto, uint32_t op) |
| void | add_compat (struct nft_rule *r, uint32_t proto, bool inv) |
| bool | is_same_interfaces (const char *a_iniface, const char *a_outiface, unsigned const char *a_iniface_mask, unsigned const char *a_outiface_mask, const char *b_iniface, const char *b_outiface, unsigned const char *b_iniface_mask, unsigned const char *b_outiface_mask) |
| void | parse_meta (struct nft_rule_expr *e, uint8_t key, char *iniface, unsigned char *iniface_mask, char *outiface, unsigned char *outiface_mask, uint8_t *invflags) |
| void | print_proto (uint16_t proto, int invert) |
| void | get_cmp_data (struct nft_rule_expr *e, void *data, size_t dlen, bool *inv) |
| void | nft_parse_bitwise (struct nft_xt_ctx *ctx, struct nft_rule_expr *e) |
| void | nft_parse_cmp (struct nft_xt_ctx *ctx, struct nft_rule_expr *e) |
| void | nft_parse_target (struct nft_xt_ctx *ctx, struct nft_rule_expr *e) |
| void | nft_parse_meta (struct nft_xt_ctx *ctx, struct nft_rule_expr *e) |
| void | nft_parse_payload (struct nft_xt_ctx *ctx, struct nft_rule_expr *e) |
| void | nft_parse_counter (struct nft_rule_expr *e, struct xt_counters *counters) |
| void | nft_parse_immediate (struct nft_xt_ctx *ctx, struct nft_rule_expr *e) |
| void | nft_rule_to_iptables_command_state (struct nft_rule *r, struct iptables_command_state *cs) |
| void | print_header (unsigned int format, const char *chain, const char *pol, const struct xt_counters *counters, bool basechain, uint32_t refs) |
| void | print_firewall_details (const struct iptables_command_state *cs, const char *targname, uint8_t flags, uint8_t invflags, uint8_t proto, unsigned int num, unsigned int format) |
| void | print_ifaces (const char *iniface, const char *outiface, uint8_t invflags, unsigned int format) |
| void | print_matches_and_target (struct iptables_command_state *cs, unsigned int format) |
| void | save_firewall_details (const struct iptables_command_state *cs, uint8_t invflags, uint16_t proto, const char *iniface, unsigned const char *iniface_mask, const char *outiface, unsigned const char *outiface_mask) |
| void | save_counters (uint64_t pcnt, uint64_t bcnt) |
| void | save_matches_and_target (struct xtables_rule_match *m, struct xtables_target *target, const char *jumpto, uint8_t flags, const void *fw) |
| struct nft_family_ops * | nft_family_ops_lookup (int family) |
| bool | nft_ipv46_rule_find (struct nft_family_ops *ops, struct nft_rule *r, struct iptables_command_state *cs) |
| bool | compare_targets (struct xtables_target *tg1, struct xtables_target *tg2) |
| #define CMD_APPEND 0x0010U |
| #define CMD_CHECK 0x4000U |
| #define CMD_DELETE 0x0002U |
| #define CMD_DELETE_CHAIN 0x0200U |
| #define CMD_DELETE_NUM 0x0004U |
| #define CMD_FLUSH 0x0040U |
| #define CMD_INSERT 0x0001U |
| #define CMD_LIST 0x0020U |
| #define CMD_LIST_RULES 0x1000U |
| #define CMD_NEW_CHAIN 0x0100U |
| #define CMD_NONE 0x0000U |
| #define CMD_RENAME_CHAIN 0x0800U |
| #define CMD_REPLACE 0x0008U |
| #define CMD_SET_POLICY 0x0400U |
| #define CMD_ZERO 0x0080U |
| #define CMD_ZERO_NUM 0x2000U |
| #define DEBUGP | ( | x, | |
| args... | |||
| ) |
| #define FMT | ( | tab, | |
| notab | |||
| ) | ((format) & FMT_NOTABLE ? (notab) : (tab)) |
| #define FMT_KILOMEGAGIGA 0x0004 |
| #define FMT_LINENUMBERS 0x0100 |
| #define FMT_NOCOUNTS 0x0002 |
| #define FMT_NONEWLINE 0x0080 |
| #define FMT_NOTABLE 0x0010 |
| #define FMT_NOTARGET 0x0020 |
| #define FMT_NUMERIC 0x0001 |
| #define FMT_OPTIONS 0x0008 |
| #define FMT_PRINT_RULE |
| #define FMT_VIA 0x0040 |
References NFT_EXPR_BITWISE_DREG, NFT_EXPR_BITWISE_LEN, NFT_EXPR_BITWISE_MASK, NFT_EXPR_BITWISE_SREG, NFT_EXPR_BITWISE_XOR, NFT_REG_1, nft_rule_add_expr(), nft_rule_expr_alloc(), nft_rule_expr_set(), nft_rule_expr_set_u32(), and NULL.
References NFT_EXPR_CMP_DATA, NFT_EXPR_CMP_OP, NFT_EXPR_CMP_SREG, NFT_REG_1, nft_rule_add_expr(), nft_rule_expr_alloc(), nft_rule_expr_set(), nft_rule_expr_set_u32(), and NULL.
Referenced by add_addr(), add_cmp_u16(), add_cmp_u32(), add_cmp_u8(), add_iniface(), and add_outiface().
References add_cmp_ptr().
Referenced by add_proto().
References NFT_RULE_ATTR_COMPAT_FLAGS, NFT_RULE_ATTR_COMPAT_PROTO, nft_rule_attr_set_u32(), and NFT_RULE_COMPAT_F_INV.
References add_cmp_ptr(), add_meta(), and NFT_META_IIFNAME.
References NFT_EXPR_META_DREG, NFT_EXPR_META_KEY, NFT_REG_1, nft_rule_add_expr(), nft_rule_expr_alloc(), nft_rule_expr_set_u32(), and NULL.
Referenced by add_iniface(), and add_outiface().
References add_cmp_ptr(), add_meta(), and NFT_META_OIFNAME.
References NFT_EXPR_PAYLOAD_BASE, NFT_EXPR_PAYLOAD_DREG, NFT_EXPR_PAYLOAD_LEN, NFT_EXPR_PAYLOAD_OFFSET, NFT_PAYLOAD_NETWORK_HEADER, NFT_REG_1, nft_rule_add_expr(), nft_rule_expr_alloc(), nft_rule_expr_set_u32(), and NULL.
Referenced by add_addr(), and add_proto().
| bool compare_targets | ( | struct xtables_target * | tg1, |
| struct xtables_target * | tg2 | ||
| ) |
References xt_entry_target::data, NULL, xtables_target::t, xt_entry_target::u, xt_entry_target::user, and xtables_target::userspacesize.
Referenced by nft_ipv46_rule_find().
| void get_cmp_data | ( | struct nft_rule_expr * | e, |
| void * | data, | ||
| size_t | dlen, | ||
| bool * | inv | ||
| ) |
References len, NFT_CMP_NEQ, NFT_EXPR_CMP_DATA, NFT_EXPR_CMP_OP, nft_rule_expr_get(), and nft_rule_expr_get_u32().
| struct nft_family_ops* nft_family_ops_lookup | ( | int | family | ) |
References NFPROTO_ARP, nft_family_ops_arp, nft_family_ops_ipv4, nft_family_ops_ipv6, and NULL.
Referenced by do_commandarp(), do_commandx(), nft_parse_cmp(), nft_parse_immediate(), nft_parse_target(), nft_rule_list(), and nft_rule_print_save().
| bool nft_ipv46_rule_find | ( | struct nft_family_ops * | ops, |
| struct nft_rule * | r, | ||
| struct iptables_command_state * | cs | ||
| ) |
References compare_targets(), DEBUGP, nft_family_ops::is_same, iptables_command_state::jumpto, iptables_command_state::matches, NFT_RULE_APPEND, nft_rule_print_save(), nft_rule_to_iptables_command_state(), and iptables_command_state::target.
| void nft_parse_bitwise | ( | struct nft_xt_ctx * | ctx, |
| struct nft_rule_expr * | e | ||
| ) |
References nft_xt_ctx::bitwise, data, nft_xt_ctx::flags, len, nft_xt_ctx::mask, NFT_EXPR_BITWISE_MASK, NFT_EXPR_BITWISE_SREG, NFT_EXPR_BITWISE_XOR, nft_rule_expr_get(), nft_rule_expr_get_u32(), NFT_XT_CTX_BITWISE, nft_xt_ctx::reg, and nft_xt_ctx::xor.
Referenced by nft_rule_to_arptables_command_state(), and nft_rule_to_iptables_command_state().
| void nft_parse_cmp | ( | struct nft_xt_ctx * | ctx, |
| struct nft_rule_expr * | e | ||
| ) |
References data, nft_xt_ctx::family, nft_xt_ctx::flags, NFT_EXPR_CMP_SREG, nft_family_ops_lookup(), nft_rule_expr_get_u32(), NFT_XT_CTX_META, NFT_XT_CTX_PAYLOAD, nft_family_ops::parse_meta, nft_family_ops::parse_payload, and nft_xt_ctx::reg.
Referenced by nft_rule_to_arptables_command_state(), and nft_rule_to_iptables_command_state().
| void nft_parse_counter | ( | struct nft_rule_expr * | e, |
| struct xt_counters * | counters | ||
| ) |
References xt_counters::bcnt, NFT_EXPR_CTR_BYTES, NFT_EXPR_CTR_PACKETS, nft_rule_expr_get_u64(), and xt_counters::pcnt.
Referenced by nft_rule_to_arptables_command_state(), and nft_rule_to_iptables_command_state().
| void nft_parse_immediate | ( | struct nft_xt_ctx * | ctx, |
| struct nft_rule_expr * | e | ||
| ) |
References data, nft_xt_ctx::family, NF_ACCEPT, NF_DROP, NFT_EXPR_IMM_CHAIN, NFT_EXPR_IMM_VERDICT, nft_family_ops_lookup(), NFT_GOTO, NFT_JUMP, NFT_RETURN, nft_rule_expr_get_str(), nft_rule_expr_get_u32(), NULL, nft_family_ops::parse_immediate, and verdict.
Referenced by nft_rule_to_arptables_command_state(), and nft_rule_to_iptables_command_state().
| void nft_parse_meta | ( | struct nft_xt_ctx * | ctx, |
| struct nft_rule_expr * | e | ||
| ) |
References nft_xt_ctx::flags, nft_xt_ctx::key, nft_xt_ctx::meta, NFT_EXPR_META_DREG, NFT_EXPR_META_KEY, nft_rule_expr_get_u32(), NFT_XT_CTX_META, and nft_xt_ctx::reg.
Referenced by nft_rule_to_arptables_command_state(), and nft_rule_to_iptables_command_state().
| void nft_parse_payload | ( | struct nft_xt_ctx * | ctx, |
| struct nft_rule_expr * | e | ||
| ) |
References nft_xt_ctx::flags, NFT_EXPR_META_DREG, NFT_EXPR_PAYLOAD_OFFSET, nft_rule_expr_get_u32(), NFT_XT_CTX_PAYLOAD, nft_xt_ctx::offset, nft_xt_ctx::payload, and nft_xt_ctx::reg.
Referenced by nft_rule_to_arptables_command_state(), and nft_rule_to_iptables_command_state().
| void nft_parse_target | ( | struct nft_xt_ctx * | ctx, |
| struct nft_rule_expr * | e | ||
| ) |
References xt_entry_target::data, data, nft_xt_ctx::family, xtables_target::name, NFT_EXPR_TG_INFO, NFT_EXPR_TG_NAME, NFT_EXPR_TG_REV, nft_family_ops_lookup(), nft_rule_expr_get(), nft_rule_expr_get_str(), nft_rule_expr_get_u32(), NULL, nft_family_ops::parse_target, size, xtables_target::t, xt_entry_target::target_size, xt_entry_target::u, xt_entry_target::user, XT_ALIGN, xtables_find_target(), and XTF_TRY_LOAD.
Referenced by nft_rule_to_arptables_command_state(), and nft_rule_to_iptables_command_state().
| void nft_rule_to_iptables_command_state | ( | struct nft_rule * | r, |
| struct iptables_command_state * | cs | ||
| ) |
References iptables_command_state::counters, nft_xt_ctx::cs, nft_xt_ctx::family, nft_xt_ctx::iter, iptables_command_state::jumpto, xtables_target::name, name, nft_parse_bitwise(), nft_parse_cmp(), nft_parse_counter(), nft_parse_immediate(), nft_parse_meta(), nft_parse_payload(), nft_parse_target(), NFT_RULE_ATTR_FAMILY, nft_rule_attr_get_u32(), NFT_RULE_EXPR_ATTR_NAME, nft_rule_expr_get_str(), nft_rule_expr_iter_create(), nft_rule_expr_iter_destroy(), nft_rule_expr_iter_next(), NULL, nft_xt_ctx::state, iptables_command_state::target, xtables_find_target(), and XTF_TRY_LOAD.
Referenced by nft_ipv46_rule_find(), nft_rule_save(), and nft_rule_zero_counters().
| void parse_meta | ( | struct nft_rule_expr * | e, |
| uint8_t | key, | ||
| char * | iniface, | ||
| unsigned char * | iniface_mask, | ||
| char * | outiface, | ||
| unsigned char * | outiface_mask, | ||
| uint8_t * | invflags | ||
| ) |
References DEBUGP, IPT_INV_VIA_IN, IPT_INV_VIA_OUT, len, NFT_CMP_NEQ, NFT_EXPR_CMP_DATA, NFT_EXPR_CMP_OP, NFT_META_IIF, NFT_META_IIFNAME, NFT_META_OIF, NFT_META_OIFNAME, nft_rule_expr_get(), nft_rule_expr_get_u32(), and value.
| void print_firewall_details | ( | const struct iptables_command_state * | cs, |
| const char * | targname, | ||
| uint8_t | flags, | ||
| uint8_t | invflags, | ||
| uint8_t | proto, | ||
| unsigned int | num, | ||
| unsigned int | format | ||
| ) |
References xt_counters::bcnt, iptables_command_state::counters, FMT, FMT_LINENUMBERS, FMT_NOCOUNTS, FMT_NOTARGET, FMT_NUMERIC, xt_counters::pcnt, proto_to_name(), XT_INV_PROTO, and xtables_print_num().
| void print_header | ( | unsigned int | format, |
| const char * | chain, | ||
| const char * | pol, | ||
| const struct xt_counters * | counters, | ||
| bool | basechain, | ||
| uint32_t | refs | ||
| ) |
References xt_counters::bcnt, FMT, FMT_KILOMEGAGIGA, FMT_LINENUMBERS, FMT_NOCOUNTS, FMT_NOTABLE, FMT_NOTARGET, FMT_OPTIONS, FMT_VIA, xt_counters::pcnt, and xtables_print_num().
| void print_ifaces | ( | const char * | iniface, |
| const char * | outiface, | ||
| uint8_t | invflags, | ||
| unsigned int | format | ||
| ) |
References FMT, FMT_NUMERIC, FMT_VIA, IFNAMSIZ, IPT_INV_VIA_IN, and IPT_INV_VIA_OUT.
| void print_matches_and_target | ( | struct iptables_command_state * | cs, |
| unsigned int | format | ||
| ) |
| void print_proto | ( | uint16_t | proto, |
| int | invert | ||
| ) |
| void save_counters | ( | uint64_t | pcnt, |
| uint64_t | bcnt | ||
| ) |
| void save_firewall_details | ( | const struct iptables_command_state * | cs, |
| uint8_t | invflags, | ||
| uint16_t | proto, | ||
| const char * | iniface, | ||
| unsigned const char * | iniface_mask, | ||
| const char * | outiface, | ||
| unsigned const char * | outiface_mask | ||
| ) |
References IPT_INV_VIA_IN, IPT_INV_VIA_OUT, NULL, and XT_INV_PROTO.
| void save_matches_and_target | ( | struct xtables_rule_match * | m, |
| struct xtables_target * | target, | ||
| const char * | jumpto, | ||
| uint8_t | flags, | ||
| const void * | fw | ||
| ) |
1.8.8 
